In the encryption industry, security is the cornerstone of every project and platform. As blockchain technology develops and digital assets are widely used, security issues have also become a focus of attention.
At the 2024 Singapore FinTech Festival (SFF), CertiK co-founder and Columbia University computer science professor Ronghui Gu delivered a keynote speech titled "Beyond Code, Leading Trust". In his speech, Professor Gu reviewed his academic journey and the transition from academic research to founding the Web3 security company CertiK, emphasizing the core concept that "security is not only a competitive advantage, but also a shared responsibility".
Professor Ronghui Gu mentioned in his speech that the $2 million hacker attack on the DeFi protocol Merlin in April 2023 has brought a profound warning to the entire blockchain industry.
The Singapore FinTech Festival (SFF), as the top annual global FinTech event, is jointly organized by the Monetary Authority of Singapore (MAS) and Elevandi. Taking this opportunity, BlockBeats and CertiK co-founder Ronghui Gu had a conversation.
Academic Origin and the Birth of CertiK
In the 2010s, computer science gradually became the hot choice for elite students in Tsinghua. However, unlike many students who chased the latest research trends, Ronghui Gu chose a niche but deeply profound direction - formal verification. This field focuses on using mathematical proofs to ensure the correctness of software systems, which is the core guarantee for infrastructure such as compilers and operating systems. Although it started relatively late in China, formal verification has always been in high demand, especially in ensuring system security and stability.
At Tsinghua, Ronghui Gu studied under Professor Yuan Dong and first encountered formal verification technology. The research project he participated in, RA (Region-based Allocation), laid the theoretical foundation for him. His four years at Tsinghua cultivated his strong interest in academic research and also prompted him to pursue higher academic breakthroughs. After graduating from Tsinghua in 2012, Ronghui Gu chose to go to Yale University and continue his studies under the famous scholar Professor Zhong Shao.
The Yale laboratory was not only the academic origin of Ronghui Gu, but also the place where he first came into contact with the blockchain industry. In Professor Shao's laboratory, Ronghui Gu met the legendary figure in the encryption industry - Roasted Cat. Before disappearing in 2013, Roasted Cat had already created a bitcoin mining machine empire, and Ronghui Gu was a witness to that early history.
Specifically, Roasted Cat was a doctoral student of CertiK co-founder Professor Zhong Shao, a student of the Yale-USTC joint laboratory, and also a senior of Ronghui Gu and an office mate in the Yale Computer Science Department 301 office. "At that time, I was learning the XCAP framework (the work of CertiK CTO Zhaozhong Ni), and I couldn't understand a lot of the Coq code. Whenever I had a problem, I would go ask Roasted Cat. Back then at Yale, Roasted Cat was preaching Bitcoin," Ronghui Gu recalled.
However, Ronghui Gu did not have any inside information about the legendary disappearance of Roasted Cat. "In 2013, when I went back to China in Suzhou (where the Yale-USTC laboratory was located), Roasted Cat even invited me to have a hot pot meal alone. That was the last time I saw him. There was no contact after his disappearance."
Commercialization of Academic Innovation: From CertiKOS to CertiK
The research experience at Yale made Ronghui Gu keenly aware of the potential of formal verification. In 2016, he and his team successfully developed CertiKOS, the world's first fully formally verified multi-core operating system kernel.
In addition, Ronghui Gu's team also developed the first fully verified commercial cloud hypervisor system SeKVM; collaborated with Arm to complete the verification of the Confidential Computing Architecture (CCA), which will be applied to the next-generation Arm V9 chips; and collaborated with Ant Group to complete the verification of the HyperEnclave system.
These achievements not only attracted the attention of the academic community, but also made Ronghui Gu see the broad application potential of formal verification technology in the real world. "The success of CertiKOS made me realize that formal verification should not only stay in the laboratory, it can completely provide strong security guarantees for the Block and Web3 fields," said Ronghui Gu.
Therefore, Ronghui Gu and Professor Zhong Shao co-founded CertiK in January 2018. The company name comes from "CertiKOS", meaning "provably secure", which has also become the symbol of the company's core philosophy. CertiK's goal is to bring the rigor of formal verification into the Block industry and provide top-notch security guarantees for digital assets.
With the support of Professor Zhong Shao and several Tsinghua and Yale alumni, CertiK has assembled a "luxury" startup team. The team members not only have outstanding academic backgrounds, but also have rich industry experience. Co-founder Professor Zhong Shao, a graduate of the University of Science and Technology of China, is not only the chairman of the Yale University Computer Science Department, but also a doctoral graduate of Princeton University and a world-renowned academic authority; CTO Zhaozhong Ni is Ronghui Gu's senior at Tsinghua and Yale, has served as the global Informatics Olympiad head coach, and has guided students to win multiple gold medals. Many of the senior executives and technical backbones in the team also come from Tsinghua, and have won numerous honors in information competitions and computer fields. This deep academic foundation and technical strength have made CertiK a highly regarded player in the industry since its inception.
Just two months after its establishment, CertiK received a $3.5 million seed round of financing led by Lightspeed Venture Partners. The company has been developing rapidly and continuously gaining capital favor: in June 2020, IDG Capital led a $7 million Series A round; between 2021 and 2022, CertiK completed a series of financing rounds, with its valuation soaring to $2 billion. According to public information, as of December 2021, CertiK has achieved a 20-fold revenue growth and a 4-fold increase in the number of employees.
Despite its rapid development, fast financing pace, and large amounts, CertiK has always maintained restraint. "During 2021 and 2022, there were indeed many investment institutions that approached us hoping to invest money, and we did indeed reject a large part of them. Because CertiK's cash flow has always been very healthy, we prefer to get strategic investments that can help us in our business, rather than just bringing in financial investments, so we are selective in accepting investments," Ronghui Gu recalled.
From Product Innovation to Industry Impact: CertiK's Rise
To become an industry unicorn, it's not just about having a luxury team, but also about having solid product innovation.
In the course of its development, CertiK has continuously launched innovative products to meet the changing needs of the Block industry. Among them, the CertiK Skynet for Community launched in 2022 is a project security information search engine built for Web3 users. The platform provides security ratings for ordinary users to help them better assess project risks, laying the foundation for popularizing security awareness in the industry.
In 2023, CertiK further launched SkyInsights, a real-time monitoring tool customized for project parties. SkyInsights is not only efficient, but also cost-effective. It can help project teams maintain security and compliance in the rapidly changing market. This tool has quickly become a valuable tool for project teams to ensure secure operations in the complex Web3 environment.
In 2024, CertiK further upgraded its product matrix and launched two influential new projects. CertiK Quest popularizes Web3 security knowledge to users in the form of Q&A and knowledge cards, cultivating broader security awareness in the industry; at the same time, CertiK Ventures announced a $45 million investment plan, aiming to support the growth of potential star projects in the Web3 field through capital, technology and talent. This strategic layout not only enhances CertiK's influence in the industry, but also consolidates its position as a leader in the security field.
In addition, CertiK has also upgraded its product line and proposed the concept of a "full life cycle security solution". This solution covers every stage of a project's growth from start-up to success, deeply embedding security into every aspect of the Web3 ecosystem, and is accompanied by a new slogan: "Elevating Your Entire Web3 Journey". CertiK has focused its security services on more specific targets, such as project parties, trading platforms, wallets, and end-users, ensuring comprehensive security through customized solutions.
"Many projects think that security is a one-time security audit before launch, treating it as a point-in-time service, but security needs to accompany the entire life cycle of a project. We hope to accompany users from the early stages all the way to launch, on-chain, on-exchange, and into the mature operational phase."
CertiK's security engine is the core of its technical competitiveness. This engine, relying on advanced formal verification, automated scanning, and in-depth specification analysis technologies, helps security experts efficiently identify potential issues in the code. Professor Gu Ronghui described it as the "intelligent assistant of security experts", similar to the role of ChatGPT in the field of text processing.
The model data of this engine comes from CertiK's accumulated audit experience and knowledge base over the years, covering code samples from 4,700 clients, 150,000 security vulnerabilities, and detailed reports on more than 40 major vulnerabilities. This data provides the engine with powerful analysis capabilities, enabling it to quickly identify potential risks in smart contracts and blockchain applications.
Taking the TON public chain as an example, CertiK not only provided code auditing and formal verification, but also helped with performance testing and community building after launch. This full-process support has gone beyond the traditional security field, further providing multi-dimensional value-added services for project parties. This also reflects CertiK's transformation from a single service provider to a "security partner".
Furthermore, with the widespread adoption of the blockchain industry, CertiK has gradually expanded its focus from the B2B (enterprise-facing) to the B2C (consumer-facing) domain. In 2024, CertiK launched the free community security tools Token Scan and Wallet Scan, providing simple and easy-to-use security detection services for ordinary users. The launch of these tools not only lowered the usage threshold of security technology, but also allowed more people to participate in the construction of the Web3 security ecosystem.
CertiK hopes that through these tools, end-users will have stronger security awareness and prevention capabilities. Gu Ronghui frankly stated: "CertiK has served 4,700 clients, found 150,000 security vulnerabilities, and reported more than 40 major vulnerabilities. We can say that we have made a very significant contribution to the community, but we are still not enough for the C-end and the developer community." In the future, CertiK plans to launch more free security tools to give back to the community and promote the healthy development of the industry.
Clarification and Response: Misconceptions about "Rubber-Stamp Audits"
In a field with rapidly iterating technology and complex security requirements, controversies are inevitable. From the criticism of "rubber-stamp" audits to the public questioning after some projects encountered problems, CertiK has undergone multiple tests from the public and the industry. How to face these issues, explain the underlying reasons, and at the same time make greater contributions to the industry's development, has become an unavoidable mission for CertiK.
Security audits, in essence, are professional assessments of the code security at a specific point in time, rather than comprehensive protection throughout the entire project life cycle. As a provider of audit services, CertiK faces several practical challenges:
1. Limitations of code scope: Many project parties only provide partial code or test versions of the code when submitting for audits. This means that the audit can only assess risks based on this content and cannot cover the entire project's codebase. If the code is modified after launch without being re-audited, it may lead to security vulnerabilities.
2. Post-audit changes: Some project parties make code modifications or add new features after the audit in order to launch quickly, but these changes have not been security audited. These "subsequent changes" are often the main cause of security incidents, rather than the initial audit oversights.
3. Cost and resources: Comprehensive and in-depth security audits are costly, and not every project can afford them. Even for well-known projects, they may choose partial audits due to budget constraints, further increasing potential risks.
4. Disconnect between auditing and execution: Even if CertiK provides detailed risk recommendations and optimization solutions, the final implementation is still the responsibility of the project parties. However, some project parties have not fully executed the audit recommendations or rectification plans, which has also become another important reason for the occurrence of security issues.
In the face of these criticisms, CertiK has also provided its own responses. For example, since 2020, CertiK has made all audit reports public for user and community supervision. The decision to publicly release audit reports was widely opposed at the time, both within the company, by partners, and even by investment institutions.
"Because once it's public, anytime a security incident occurs, everyone will associate it with CertiK. Currently, no other security company dares to publicly disclose all audit information, because it means they will have nowhere to hide when facing problems. For CertiK, transparent information is a double-edged sword, but it is a positive driver for the industry," Gu Ronghui explained.
"We insist on executing this choice even though it poses challenges for CertiK, as long as it benefits the industry. From 2020 until today, CertiK has always maintained its original intention, and even when there were problems with some projects, CertiK also took on the resulting negative impact. To this day, we still publicly release the reports on our website," Gu Ronghui stated.
Furthermore, to address these issues, CertiK has launched the CertiK Skynet ranking and security scoring system to enhance the transparency and authenticity of audit reports. The ranking list and project information pages ensure the accessibility and authenticity of audit reports, avoiding the risks of tampering or forgery. CertiK's security rating system comprehensively considers on-chain data, GitHub code repositories, audit information, and community status, providing users with more comprehensive project security information.
On the other hand, CertiK has also launched the Quest feature, a question-and-answer reward mechanism aimed at showcasing more technical details and security knowledge to the community. This helps users gain a deeper understanding of the project's security-related information and the role of security.
The Web3 security field has never been a guarantee of "perfect security", but rather a dynamic balance between technology and risk. In this process, CertiK not only has to face the technical limitations and project party execution issues, but also bear the pressure of public questioning.
Responsibility in Crisis
In the world of Web3, the boundaries of hacker behavior are more ambiguous than in the traditional internet. The traditional "black hat" and "white hat" distinction has a large gray area in Web3. For example, some hackers claim to expose vulnerabilities for the "public good", but their actions may not necessarily comply with existing laws and regulations. This complexity poses more challenges for security companies.
Since 2020, CertiK has conducted more than 70 white hat actions, strictly following the white hat code of conduct and, without harming user or public interests, discovering and fixing tens of thousands of security vulnerabilities. For example, CertiK received the highest bug bounty from the Sui project for discovering critical vulnerabilities. CertiK has industry-leading on-chain real-time attack monitoring and early warning capabilities, and has focused on tracking the fund flows of the Lazarus Group-related cases, providing valuable security protection experience for the industry.
However, CertiK also knows that relying solely on technical means is not enough to comprehensively solve the problem. Web3 security issues not only exist at the technical level, but also involve the complex interactions of human nature and trust.
For example, in the Merlin incident, the culprit was not a code vulnerability, but the malicious behavior of internal personnel. CertiK has further improved the mechanisms for preventing internal threats through strict background investigations and real-time monitoring.
In addition, CertiK once reported to another trading platform a vulnerability that allowed arbitrary exchange rate setting, and this early warning was almost a free service. If this vulnerability had not been discovered, the trading platform could have faced an existential crisis. Professor Gu Ronghui said in an interview: "Many times, our work is not seen by the outside world, but it is these invisible efforts that have prevented many potential major losses."
In the Web3 security battlefield, hacker organizations' attack methods are becoming increasingly sophisticated, with the Lazarus group being a typical representative. This organization has caused a large number of security incidents globally through its superior social engineering attacks, supply chain attacks, and the implantation of vulnerabilities by impersonating developers.
CertiK not only confronts the Lazarus group on the technical front, but also continuously monitors the flow of funds involved in their cases through fund tracing and anti-money laundering tools. In 2022, the mastermind behind the Merlin incident was confirmed by the United Nations to be related to the Lazarus group, and CertiK's investigation work in this incident was seen as a model of "zero-distance confrontation" with the hackers. This has also prompted CertiK to make comprehensive upgrades in areas such as fund tracing, vulnerability scanning, and KYC (identity authentication).
"The Web3 security industry requires 24/7 high vigilance, constant confrontation with hackers, and continuous efforts to defend the interests of clients and communities. Although this war may never be completely resolved, it is precisely this feature that gives CertiK a strong sense of mission. We will adhere to our original aspiration and guard the security of Web3 throughout."
Unchanged Aspiration, CertiK Will Lead the New Future of Blockchain Security and Compliance
In the future, CertiK, which is committed to promoting the blockchain industry for good and upholding the white hat spirit, will not only continue to maintain its position as a blockchain industry unicorn, but also actively take on new responsibilities and roles. Currently, CertiK has established cooperative relationships with regulatory authorities in five countries and regions, playing an important role in policy formulation and compliance support.
Professor Gu Ronghui, as a member of the International Technology Advisory Committee of the Monetary Authority of Singapore (MAS), has participated in the discussion of several important frameworks. He has also been invited to be a member of the Hong Kong Web3 Development Task Force, assisting in the formation of digital asset management rules.
At the Singapore FinTech Festival, Professor Gu Ronghui, as a keynote speaker, shared his views. He stated that "the core of regulation is to be 'manageable, visible, and enforceable'. In the face of increasingly complex on-chain transactions today, security has become a key pillar of regulation."
CertiK's government cooperation is wide-ranging and in-depth. For example, CertiK provided professional advice for the stablecoin regulatory framework jointly issued by the Hong Kong Monetary Authority and the Treasury Bureau; participated in the drafting of the compliance policy for the Japanese yen stablecoin by the Financial Services Agency (FSA); collaborated with the Malaysia Digital Economy Development Agency to jointly develop policy documents for Metaverse and Web3; and signed a memorandum of cooperation with the Seoul and Busan city governments in South Korea to provide technical support for blockchain security and risk control. These efforts not only consolidate CertiK's leadership position in the industry, but also demonstrate its deep sense of responsibility for the industry's development.
At the same time, CertiK announced the launch of its venture capital department, CertiK Ventures, and established a $45 million investment plan to support emerging projects with high potential in the Web3 ecosystem. This plan is not only a commitment to the industry's future, but also an important step in CertiK's transformation from a technology provider to an ecosystem driver.
CertiK Ventures' investment focus is on projects related to security and infrastructure, especially those with sustainable and scalable business models. CertiK hopes to help these projects stand out in the fast-paced track through financial and technical support, and build long-term technical cooperation relationships with them. CertiK Ventures plans to start allocating funds from the fourth quarter of 2024 and continue until the end of 2025, providing comprehensive growth support for more projects.
In addition to government cooperation and the establishment of the VC department, CertiK also revealed its latest plan - the "21 Plan", which aims to meet the listing standards within 21 months and has "Client Insights First" as its core strategy. By delving into customer needs, CertiK is committed to building a product optimization and service improvement system oriented towards customer feedback.
Under the guidance of this plan, CertiK has launched a full life-cycle security solution. This solution covers the entire growth process of a project, from the conceptual stage to post-launch, from the initial design review to code auditing, and then to community management and performance optimization after launch. CertiK has expanded its security services from defense to support, enabling Web3 projects to achieve continuous innovation on a secure foundation.
CertiK's vision for the future also goes beyond the traditional security field. Against the backdrop of Web3 gradually becoming mainstream, CertiK plans to expand its service scope to more traditional enterprises, helping them smoothly enter the blockchain ecosystem. Facing the alternation of bull and bear markets in the industry, CertiK has laid the foundation for sustained growth by optimizing the team structure and strengthening technical capabilities.
Welcome to join the official community of BlockBeats:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Twitter Official Account: https://twitter.com/BlockBeatsAsia
